Michael Brown wrote


I beleive there was a similar attack developed against the Telecom
phone-call cards, though I can't find any details of it so quite possibly it
was just my imagination.

At one time BT phone-call cards used IR pulses to deactivate (melt) each
token on the card. If you covered the relevant part of the card with eg a
good quality clear nail polish the deactivation failed, and you could reuse
the card forever. I don't think they work that way any more.



Oyster cards have a few unexpected security risks - people tend to keep them
in their wallets, and take their wallets out of their pockets to wave over
the reader. Gives pickpockets a chance to eye up the wallet, and learn where
its owner keeps it, and it gives thugs the chance/ inspiration to grab the
wallet and run.

The privacy implications aren't good either. All card usage is tracked
offline, to prevent use by multiple people, and usage records stored for
that purpose. The Police etc can ask for them (and may soon become able to
demand them, but that's another story) and use them to track your movements.


--
Peter Fairbrother